[Cryptech Tech] why not deterministic ecdsa?
Basil Dolmatov
dol at reedcat.net
Mon Sep 7 16:52:55 UTC 2015
Отправлено с iPhone
> 7 сент. 2015 г., в 14:40, Bernd Paysan <bernd at net2o.de> написал(а):
>
> Am Montag, 7. September 2015, 10:27:46 schrieb Simon Josefsson:
>> Leif Johansson <leifj at sunet.se> writes:
>>>> 3) Generality and separation of components (someone who uses your
>>>> ecdsa might not necessarily trust your rng).
>>>
>>> afaiu this is the usual argument for 6979 but haven't we failed if folks
>>> don't trust our rng?
>>
>> Not necessarily. Maybe they trust cryptech to protect private keys and
>> perform ecdsa signing, but wants to generate keys elsewhere.
>>
>> Trusting a rng is different from trusting a device carrying out
>> verifiable computations. I wouldn't trust a rng without proof or at
>> least a convincing argument that quantify the amount of entropy it can
>> generate.
>
> IMHO the last is crucial. Key generation may not be a very frequent operation
> (unless you use it for ephemeral key exchange on a server with high load; and
> then, you still benefit from the good randomness of the other side), but bulk
> signing of data is a common operation, e.g. zone signing in DNSSEC. If the
> signature is computed fast, and there's not much entropy available, the TRNG
> is reduced to a pure PRNG.
>
> You may trust the avalanche noise, but you may not trust the PRNG. At least
> not for something like a signature, which can reveal your secret key if
> something goes wrong. The deterministic signature means you only depend on
> the hash and the elliptic curve cryptography, nothing more. You don't have to
> trust the PRNG, you don't have to trust the entropy sources.
>
And have deterministic backdoors which is much easier to invent and implement ;)
> --
> Bernd Paysan
> "If you want it done right, you have to do it yourself"
> net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
> http://bernd-paysan.de/
> _______________________________________________
> Tech mailing list
> Tech at cryptech.is
> https://lists.cryptech.is/listinfo/tech
More information about the Tech
mailing list